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CLAIMS 

What is claimed is: 

1. A method comprising: 

stalling an attempt to reference an object; and 
determining whether an attempter that originated 
said attempt is authorized to access said object, 
wherein upon a determination that said attempter is 
authorized to access said object, said method further 
comprising saving at least part of said object. 

2 . The method of Claim 1 wherein upon a 
determination that said attempter is authorized to 
access said object, said method further comprising 
releasing said attempt . 

3 . The method of Claim 2 wherein upon said 
releasing said attempt, said method further comprising 
determining if access is granted using an access 
control list. 

4 . The method of Claim 2 wherein upon said 
releasing said attempt an ObRef erenceObj ectByHandle ( ) 
function is invoked. 

5 . The method of Claim 1 wherein upon a 
determination that said attempter is not authorized to 
access said object, said method further comprising 
denying said attempt . 

6. The method of Claim 1 further comprising 
hooking object functionality. 

7. The method of Claim 6 wherein said object 
functionality comprises functionality associated with 
creating, modifying, or closing said object. 
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8 . The method of Claim 6 wherein said hooking 
object functionality comprises hooking a user mode 
library. 

9. The method of Claim 6 wherein said hooking 
object functionality comprises hooking a system call 
table . 

10. The method of Claim 6 wherein said hooking 
object functionality comprises hooking an object 
manager . 

11. The method of Claim 6 wherein said hooking 
object functionality comprises hooking an 

ObRef erenceObjectByHandle () function. 

12 . The method of Claim 6 wherein said hooking 
object functionality comprises hooking an 

ObDeref erenceObj ect ( ) function . 

13 . The method of Claim 6 wherein said hooking 
object functionality comprises hooking object type 
procedures . 

14 . The method of Claim 1 further comprising 
determining whether said attempt has occurred. 

15. The method of Claim 1 further comprising 
stalling an attempt to release said object. 

16. The method of Claim 15 further comprising 
determining whether said object has changed. 

17. The method of Claim 16 wherein upon a 
determination that said object has not changed, said 
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method further comprising releasing said attempt to 
release said object. 

18. The method of Claim 16 wherein upon a 
determination that said object has changed, said method 
further comprising determining if said attempter is 
authorized to change said object. 

19. The method of Claim 18 wherein upon a 
determination that said attempter is authorized to 
change said object, said method further comprising 
releasing said attempt to release said object. 

20. The method of Claim 18 wherein upon a 
determination that said attempter is not authorized to 
change said object, said method further comprising 
restoring said object. 

21. The method of Claim 2 0 wherein said restoring 
comprises replacing at least part of said object with a 
saved at least part of said object. 

22. A method comprising: 
hooking object functionality ,- 
stalling an attempt to release an object 

originating from an attempter; 

determining that said object has been changed by 
said attempter; 

determining that said attempter did not have 
authority to change said object; 

restoring said object; and 

releasing said attempt. 

23. The method of Claim 22 wherein said attempter 
is a user of a computer system. 
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24. The method of Claim 22 wherein said attempter 
is a process on a computer system. 

25. The method of Claim 24 wherein said process 
is a kernel mode process. 

26. A method comprising: 

stalling an attempt to reference an object 
originating from an attempter; 

determining whether said attempter is being 
monitored, wherein upon a determination that said 
attempter is being monitored, said method further 
comprising : 

recording attempt information about said attempt. 

27. The method of Claim 26 further comprising 
releasing said attempt. 

28. The method of Claim 27, wherein upon said 
releasing said attempt, said method further comprising 
determining if access is granted using an access 
control list . 

29. The method of Claim 28 further comprising 
recording access results. 

30. The method of Claim 26 wherein upon a 
determination that said attempter is not being 
monitored, said method further comprising: 

releasing said attempt . 

31. The method of Claim 26 further comprising 
hooking object functionality. 

32. The method of Claim 26 further comprising 
stalling an attempt to release said object. 
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33. The method of Claim 32 further comprising 
recording attempt information about said attempt to 
release said object. 

34. A method comprising: 

stalling an attempt to release an object 
originating from an attempter; 

determining whether said attempter is being 
monitored, wherein upon a determination that said 
attempter is being monitored, said method further 
comprising : 

recording attempt information about said attempt. 

35. A system comprising: 

a means for stalling an attempt to reference an 
object ; 

a means for determining whether an attempter that 
originated said attempt is authorized to access said 
object; and 

a means for saving at least part of said object 
upon a determination that said attempter is authorized 
to access said object. 

36. A computer -program product comprising a 
computer- readable medium containing computer program 
code comprising: 

a behavior blocking and monitoring application for 
stalling an attempt to reference an object; and 

said behavior blocking and monitoring application 
further for determining whether an attempter that 
originated said attempt is authorized to access said 
object, wherein upon a determination that said 
attempter is authorized to access said object, said 
behavior blocking and monitoring application further 
for saving at least part of said object. 
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37. A computer system comprising: 

a memory having stored therein a behavior blocking 
and monitoring application; and 

a processor coupled to said memory, wherein 
execution of said behavior blocking and monitoring 
application generates a method comprising: 

stalling an attempt to reference an object; and 

determining whether an attempter that originated 
said attempt is authorized to access said object, 
wherein upon a determination that said attempter is 
authorized to access said object, said method further 
comprising saving at least part of said object. 
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